Solved! Go to Solution.
Had the problem just yesterday.
All Policys using Service "Any" were ignored. Therefore traffic "Denied by forward policy check (policy 0)"
turns out the definition of "Any/All" is missing a line after upgrade
config firewall service custom
edit "ALL"
set category "General"
set protocol IP
next
but must be
config firewall service custom
edit "ALL"
set category "General"
set protocol IP
set protocol-number 0
next
once you edit the service and gibe it back the
" set protocol-number 0"
It works again.
Gave me a mild heartattack with a upgrade in a remote location and a small maintenance window.
NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
I had the same problem. I have two FG-100Ds. Our production is running 4.3.18. Upgrade guides indicate I should be able to go from 4.3.18-5.0.10-5.2.2.
I did a factory reset on our backup FG-100D. Then did a TFTP firmware load and boot device format to 4.3.18. Worked fine. Then I restored the production firmware from our 4.3.18 system and all of the settings came over.
Next I upgraded to 5.0.10. I watched via the console and noted that some things were changed using the "diag debug config-error-log read" to show what had change. All changes were minor.
Finally I upgraded to 5.2.2, again reviewing any errors to the config the first time it reboots.
I spent the rest of the day attempting to test throughput using a temp config between port 15 and WAN 2, thus leaving my other policies intact. I could not get it to work. Finally I realized it was the ALL/ANY problem. I was simply trying to verify services would pass. I knew WAN2 was working as the Firewall registered with Fortinet and downloaded latest updates.
I could ping from the CLI to 8.8.8.8 (Google) but I could not ping via a laptop connected to port 15. Nor could I ping the IP assigned to WAN 2. I finally realized if I changed the service to "Ping" instead of "All" it worked. I also tried ALL_TCP and ALL_UDP. That also did not allow Ping because it is ICMP. So not sure how to create an "allow anything" service definition. I have a few systems that I allow that for outbound because of dynamic ports.
So I'm not sure what the default options should be. Attached is screenshot of my "General" services. Can someone else on 5.2.2 confirm this is what they have?
Had the problem just yesterday.
All Policys using Service "Any" were ignored. Therefore traffic "Denied by forward policy check (policy 0)"
turns out the definition of "Any/All" is missing a line after upgrade
config firewall service custom
edit "ALL"
set category "General"
set protocol IP
next
but must be
config firewall service custom
edit "ALL"
set category "General"
set protocol IP
set protocol-number 0
next
once you edit the service and gibe it back the
" set protocol-number 0"
It works again.
Gave me a mild heartattack with a upgrade in a remote location and a small maintenance window.
Ah! Now I understand. On my system it changed ALL to Protocol IP, Protocol number 6. Once I changed it in the GUI to Protocol number 0, it now display under Details as "ANY".
Thanks SO much. These are the kinds of little things about Fortinet firmware upgrades that drive me crazy but I still wouldn't use any other vendor.
Doing a little more research, I see that IP Protocol 0 is listed as being "IPv6 Hop-by-Hop Option"
http://en.wikipedia.org/wiki/List_of_IP_protocol_numbers
Not sure what kind of a problem that causes if you are using IPv6.
Hello,
Few days ago, I upgraded 10 FGT 90D from 5.0.9 to 5.2.2.
For two of them, protocol number was changed from 0 to 6 (so only TCP traffic was allowed)...
Regards,
HA
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.